NIS2: 1. Perform a gap analysis

We wrote here https://www.sorinmustaca.com/how-to-nis2-eu-directive/ that the first step in implementing NIS2 requirements is to perform a gap analysis.

 

The most critical part when performing a gap analysis is to define upfront against which standard or security framework are you comparing the existing situation.

It is usual when performing a gap analysis of security maturity to compare against ISO 27000 standard, the ISO 27001 in particular.

Performing a gap analysis on the security stance of a company following ISO 27001 involves comparing its current security measures and practices against the requirements specified in the ISO 27001 standard.

This analysis helps identify areas where the company’s security posture aligns with the standard (compliance) and areas where there are gaps or deficiencies (non-compliance). Here’s a technical breakdown of the process:

 

  1. Familiarize with ISO 27001
    Understand the ISO 27001 standard and its security requirements. This includes studying the Annex A controls, which represent a comprehensive set of security best practices.
  2. Define the Scope
    Determine the scope of the analysis, starting with which areas of the organization’s security management system (SMS) will be assessed, such as specific departments, processes, assets, or locations.
    Then focus on which parts of the company’s operations will be assessed. This could include networks, systems, applications, physical security, personnel, and other relevant components.
    Keep in mind that usually the goal of the company is not reaching ISO 27001 compliance but to see their maturity level and see how prepared they are cybersecurity events and incidents.
    This means that the parallel to ISO 27001 controls (see below) should not be extremely strict, unless the goal really is achieving the ISO 27001 certification.
  3. Conduct Interviews and Gather Information
    Collaborate with key stakeholders, security personnel, and IT staff to collect relevant documentation.
    Relevant documentation is anything related to the company’s security practices, policies, procedures, risk assessments, and controls.
    This includes also security manuals, configuration details, system logs, incident reports, risk assessments, and other related documents.
  4. Create a Gap Analysis Checklist
    Develop a detailed checklist that maps the ISO 27001 controls to the company’s existing security controls and practices. The checklist should include relevant information for each control, such as descriptions, implementation status, supporting evidence, and any gaps or deviations. Always keep in mind what was decided in “2. Define the scope”, because this will give you the depth of the analysis.
  5. Assess Current Security Controls for Non-Compliance
    For each control in the checklist, assess whether the company has implemented the control as specified by ISO 27001. Evaluate the effectiveness of the existing controls in meeting the standard’s requirements. Identify gaps and areas where the company’s security measures do not meet the standard’s expectations. These gaps may include missing controls, insufficient implementation, inadequate documentation, or deviations from best practices.
  6. Prioritize and Rate the Gaps
    Classify the identified gaps based on their severity and potential impact on security. Assign a risk rating to each gap to help prioritize remediation efforts.
  7. Propose Remediation Measures
    For each identified gap, suggest specific remediation measures to address the deficiencies. These measures should align with ISO 27001 requirements and aim to improve the company’s security posture.
  8. Create an Action Plan
    Create a detailed action plan that outlines the steps to be taken to address each identified gap. This plan should include timelines, responsibilities, and resources required for implementation.
  9. Reassess and Update
    Periodically repeat the gap analysis process to assess the company’s security stance and ensure continuous improvement. Regularly review and update the action plan based on new threats, changes in the organization’s structure, or updates to the ISO 27001 standard.
  10. Monitor and Review Progress
    Once the action plan is underway, monitor the progress of each remediation effort and periodically review the improvements made. Track the status of the gaps and ensure that the company is moving towards full compliance with ISO 27001.

 

 

References:

The post NIS2: 1. Perform a gap analysis first appeared on Sorin Mustaca on Cybersecurity.